Defense Civil Support:

DOD Needs to Identify National Guard's Cyber Capabilities and Address Challenges in Its Exercises

GAO-16-574: Published: Sep 6, 2016. Publicly Released: Sep 6, 2016.

Additional Materials:

Contact:

Joseph W. Kirschbaum
(202) 512-9971
kirschbaumj@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

National Guard units have developed capabilities that could be used, if requested and approved, to support civil authorities in a cyber incident; however, the Department of Defense (DOD) does not have visibility of all National Guard units' capabilities for this support. GAO found three types of cyber capabilities that exist in National Guard units:

Communications directorates : These organizations operate and maintain the National Guard's information network.

Computer network defense teams : These teams protect National Guard information systems, could serve as first responders for states' cyber emergencies, and provide surge capacity to national capabilities.

Cyber units : These teams are to conduct cyberspace operations.

However, DOD does not have visibility of all National Guard units' cyber capabilities because the department has not maintained a database that identifies the National Guard units' cyber-related emergency response capabilities, as required by law. Without such a database to fully and quickly identify National Guard cyber capabilities, DOD may not have timely access to these capabilities when requested by civil authorities during a cyber incident.

DOD has conducted or participated in exercises to support civil authorities in a cyber incident or to test the responses to simulated attacks on cyber infrastructure owned by civil authorities, but has experienced several challenges that it has not addressed. These challenges include limited participant access because of a classified exercise environment, limited inclusion of other federal agencies and critical infrastructure owners, and inadequate incorporation of joint physical-cyber scenarios. In addition to these challenges, DOD has not identified and conducted a “tier 1” exercise—an exercise involving national-level organizations and combatant commanders and staff in highly complex environments. A DOD cyber strategy planning document states, and DOD officials agreed, that such an exercise is needed to help prepare forces in the event of a disaster with physical and cyber effects. Until DOD identifies and conducts a tier 1 exercise, DOD will miss an opportunity to fully test response plans, evaluate response capabilities, assess the clarity of established roles and responsibilities, and address the challenges DOD has experienced in prior exercises. The table below shows selected DOD-conducted exercises.

Selected DOD Exercises Designed to Support Civil Authorities During or After a Cyber Incident

Exercise title

Exercise host

Fiscal year

Cyber civil-support objective

Cyber Guard 15

U.S. Cyber Command

2015

Test DOD participation in a response to a cyberattack of significant consequence against U.S. critical infrastructure.

Cyber Shield 2015

Army National Guard

2015

Train and evaluate U.S. Army National Guard computer network defense teams in a civil-support scenario.

Vista Host II

North American Aerospace Defense Command and U.S. Northern Command

2015

Examine planning assumptions, potential resource requirements, and roles and responsibilities associated with cyber-related defense support to civil authorities operations.

Source: GAO analysis of DOD documentation | GAO-16-574

Why GAO Did This Study

The DOD 2015 Cyber Strategy reported that a cyber attack could present a significant risk to U.S. national security. House Report 114-102 included a provision that GAO assess DOD's plans for providing support to civil authorities for a domestic cyber incident.

This report assesses whether (1) the National Guard has developed and DOD has visibility over capabilities that could support civil authorities in a cyber incident; and (2) DOD has conducted and participated in exercises to support civil authorities in cyber incidents and any challenges it faced. To conduct this review, GAO examined DOD and National Guard reports, policies, and guidance and interviewed officials about the National Guard's capabilities in defense support to civil authorities. GAO also reviewed after-action reports and interviewed DOD officials about exercise planning.

What GAO Recommends

GAO recommends that DOD maintain a database that identifies National Guard cyber capabilities, conduct a tier 1 exercise to prepare its forces in the event of a disaster with cyber effects, and address challenges from prior exercises. DOD partially concurred with the recommendations, stating that current mechanisms and exercises are sufficient to address the issues highlighted in the report. GAO believes that the mechanisms and exercises, in their current formats, are not sufficient and continues to believe the recommendations are valid, as described in the report.

For more information, contact Joseph W. Kirschbaum at (202) 512-9971 or kirschbaumj@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Comments: DOD partially concurred with this recommendation. DOD agreed that tracking the capability of the Reserve and National Guard forces is important, but stated that the department already tracks this information across the whole force. As of July 2017, the department has not implemented this recommendation and indicated that the National Guard unit's cyber capabilities, when fully established, will be tracked in the Defense Readiness Reporting System (DRRS). We maintain our position that this system alone will not provide DOD leaders complete information about National Guard cyber capabilities (especially those outside of CYBERCOM's Cyber Mission Force) that could facilitate a quick response in a cyber incident and that they could employ to assist civil authorities. Such support could include defensive cyberspace operations, network support, and/or forensic support. We continue to believe that DOD should maintain a database--as required by law--that can fully and quickly identify the cyber capabilities that the National Guard possesses. Without such a database to fully and quickly identify National Guard cyber capabilities, DOD may not have timely access to these capabilities when requested by civil authorities during a cyber incident.

    Recommendation: To ensure that decision makers have immediate visibility into all capabilities of the National Guard that could support civil authorities in a cyber incident, the Secretary of Defense should maintain a database that can fully and quickly identify the cyber capabilities that the National Guard in the 50 states, three territories, and the District of Columbia have and could be used--if requested and approved--to support civil authorities in a cyber incident.

    Agency Affected: Department of Defense

  2. Status: Open

    Comments: DOD partially concurred with this recommendation. The department agreed that it is important to exercise across the whole range of challenges associated with a cyber incident, but stated that their existing CYBER GUARD exercises met the intent of the recommendation. Since DOD did not demonstrate an intention to further implement the recommendation, Congress--through the National Defense Authorization Act for Fiscal Year 2019--included a provision requiring DOD to conduct a tier 1 exercise of support to civil authorities for a cyber incident. Until DOD identifies and conducts a tier 1 exercise, DOD will miss an opportunity to fully test response plans, evaluate response capabilities, assess the clarity of established roles and responsibilities, and address the challenges DOD has experienced in prior exercises.

    Recommendation: To better prepare DOD to support civil authorities in a cyber incident, the Secretary of Defense should direct the Deputy Assistant Secretary of Defense for Cyber Policy, the Chief of the National Guard Bureau, the Commander of U.S. Northern Command, and the Commander of U.S. Cyber Command to conduct a tier 1 exercise that will improve DOD's planning efforts to support civil authorities in a cyber incident. Such an exercise should also address challenges from prior exercises, such as limited participant access to exercise environment, inclusion of other federal agencies and private-sector cybersecurity vendors, and incorporation of emergency or disaster scenarios concurrent to cyber incidents.

    Agency Affected: Department of Defense

 

Explore the full database of GAO's Open Recommendations »

Oct 11, 2018

Oct 10, 2018

Oct 9, 2018

Sep 24, 2018

Sep 20, 2018

Sep 10, 2018

Sep 6, 2018

Sep 5, 2018

Sep 4, 2018

Looking for more? Browse all our products here